The key you need to set on the client to allow ssh on the machine to forward connection to it is:
Hkey_local_machine\software\orl\winvnc3 Dword: allowloopback set it to 1 to allow and 0 (default) to not allow. If your connections are only comming through ssh. You can in the same spot set a key of dword: loopbackonly and set it to 1. Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chuck Renner Sent: Wednesday, January 16, 2002 2:40 PM To: [EMAIL PROTECTED] Subject: RE: Providing (Windows) VNC support to clients that have strict corporate firewalls Ok. I have tested this scenario. The tunneling works fine, but the total picture does not. When you make the connection from WinVNC to VNCviewer using the tunnel through SSH, the VNCviewer on the other end thinks it is an "internal loopback connection", and disconnects you. This happens regardless of which IP address you use on the WinVNC machine. Since VNCviewer states, "Internal loopback connections are not allowed", the implication is that there is a setting that WILL allow them, either in the source, or in the GUI settings. Is this the case? So the solution just got more complicated. To avoid the VNCviewer thinking the connection is a loopback, you have to run the SSH client on a completely separate machine on the same LAN, and have to allow it to receive connections on its local port from other hosts, like so: WinVNC on ClientWS1 ---> SSH on ClientWS2 port 5500 --> Internet --> sshd on MYFirewall port 443 --> VNCviewer on MyWS1 port 5500 This I have tested, and it works, but presents the following major two problems: 1. This is too complicated for the client. 2. Opening the SSH connection from the client to the SSHD your Linux firewall is effectively like creating a VPN connection from the client to your network. This opens a huge security hole in your network, and gives someone on the client's network the ability to snoop around your network when the connection is made. I am concerned about tunneling VNC through SSH, because it gives the client the ability to create more tunnels. Is it really wise to secure the client VNC connection, at the cost of exposing your own network to the client? Feedback is greatly appreciated. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Ossmann Sent: Tuesday, January 15, 2002 12:59 PM To: [EMAIL PROTECTED] Subject: Re: Providing (Windows) VNC support to clients that have strict corporate firewalls On Tue, Jan 15, 2002 at 10:10:18AM -0500, Chuck Renner wrote: > > WinVNC on ClientWS1 ---> SSH on ClientWS1 port 5500 --> Internet --> sshd on > MYFirewall port 443 --> VNCviewer on MyWS1 port 5500 > > Have I got the idea right? If so, I should be able to do this without > recompiling VNC at all. Yup. Of course your situation is somewhat complicated by the fact that you have no control over one of the firewalls, but the solution you described should work fine. --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html --------------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
